| Subscribe via RSS
I’m still alive and so is my blog. Life has just been really crazy busy between family, work, and teaching. Sorry about the site being down the last couple days. Everything is up and working now.
I’ll try to finish the pile of half baked post’s I have in my draft folder. Until then hit me up on Twitter if you have an idea for a post or just to chat.
@tnicholson
Late last year I wrote a post on Secunia PSI, which is a free program (for personal use) that will inspect all the software installed on your Windows system and provide a report on what applications installed are insecure, assuming a fix is available. I’ve been suggesting PSI to friends, family and students for sometime but yesterday Secunia release a new BETA.
The latest BETA from Secunia has added a “Secure Browsing” feature. Here is the description found on the Secunia blog.
Secure Browsing
Secure Browsing is without a doubt one of the most important aspects of online security. If your browser (Internet Explorer, Firefox, etc.) or its plugins (Adobe Flash Player, QuickTime, Sun Java, etc.) is vulnerable, then you’re exposed to security threats every single time you visit a website. This is a fact that can’t be disputed.A new feature in the Secunia PSI, called “Secure Browsing”, is here to help.
We know that keeping track of your installed browsers, browser plugins, and programs that integrate directly with your browser can be very difficult.
The “Secure Browsing” feature tell you what programs and plugins are integrated directly with your browsers – it is extremely important to know that it’s not just your browser you start up and expose when surfing.
As an additional bonus, the “Secure Browsing” feature also includes information about unpatched vulnerabilities. Vulnerabilities where the vendor has yet to react and create a proper solution to a known security problem.
I think this is a great new feature to add to PSI. In addition to keeping your installed client-side applications secure Secunia PSI can now help you keep you Web Browsers secure as well.
I pulled down the latest BETA yesterday and so far I’ve been happy with it. So if you are already using PSI, I would suggest upgrading to the BETA and if you’ve never use PSI now might be a great time to start.
Download the free Secunia PSI 1.0.0.5 BETA:
http://secunia.com/PSISetupBeta.exe
I was sent an email today by Kelly Sonora about some free open courses. I was familiar with the MIT Open Courses, when they started offering those several years ago, but the other schools were new to me. Shown below is a list of the “Security” related courses. The complete list includes courses covering numerous topics including but not limited to databases, web development, business management, law, and more. So if your looking for some formal academic training, I would suggest you check these course out.
Security
As someone who takes pride in being a lifelong learner, I would also suggest those looking for more resources checkout iTunes U. They have a small collection of “security” related courses that are free for download. Again these are all from an academic perspective, but unlike professional “just the facts” type classes it never hurts to have a solid foundation of the fundamentals to build upon.
If you have additional resources for quality “security” related training please post them in the comments.
This week I started teaching a new session of classes. One of the classes I’m teaching is on ethics, policies and procedures. The objective of the class is to teach students the ethic’s associated with network security. The process of developing policies including standards and guidelines in addition to the procedures that go with them. No matter what I do I always feel like the class turns into a business/psychology type of class rather then a network security class. I guess that because the the reason for policies and procedures is because of users and the need to protect company data.
The first part of the class we focus on policies. One of the items we discuss is where do these policies come from. We all know that the mission of any business is to make money. So if security is a cost center, then how does a business decide what money it will spend on security? Well one motivator for businesses to spend money is to meet compliance mandates. This comes back to a business will not spend money on something unless it has to by law or because it provides an ROI.
The ones we focus on in class include PCI/DSS, GLBA, HIPAA, FISMA and ISO 27001/27002. All of which are discussed in some detail thought the class. The problem that I have is for some businesses these mandates are the baseline for their security. Meaning that some business will only spend money on security to the point they are compliant and then stop. Now this could be for a number of reasons. Time restraints, costs, lack of resources to do anything more, etc. The point is that some believe that nothing bad can happen to them, until it does. I honestly don’t know why. What I do know is that none of the security compliance mandates I listed is intended to be the “be-all end-all” for securing a business. Each one has a focus and that focus does not take into account any other aspect of the business or the technology involved.
So if you’re in a position to drive change in your department, organization or the corporation. Please help to educate and communicate the real security requirements needed to protect the companies mission, its customers and its employees. I think one of the clearest and most concise statement about compliance recently made was by Michael Starks in his “An Open Letter to CEO’s” post.
…we need to have a security program that is perpetually healthy–one that creates and builds a security culture. It needs to be healthy enough where passing audits is a natural consequence of how we handle information.
Meeting security compliance mandates should be a positive side effect of your security practices not the motivation for them.
I am always open to feedback so please feel free to post a comment.
Tags: FISMA, GLBA, HIPAA, ISO 27001/27002, PCI/DSS, security complaince, security mandatesEvery class I get students asking me how they can get into the security field. I tell them what I know but I think this post sums it all up pretty well. Also it helps that its coming from someone that “does” security rather then someone who “teaches” security.
Here is another post about a career in Ethical Hacking. I highly suggest checking out this mp3/pdf presentation.
DIY Career in Ethical Hacking: The R-Rated Version
If your a security professional and want to share your story I would like to hear it in the comments. If you have a website where you have already shared your story post a link and I’ll add it to this post.
I wanted to let my readers know that I’m almost done migrating my blog to a new host. I still need to check to see that everything made it over but for the most part I think its done.
The Wiki is offline for now but I hope to get it back online tomorrow. I have added support for iPhone/Touch devices. I will be making some other enhancements to the site as I now have more resources to work with on my new server.
Sorry for anyone who has experienced trouble with the site the last 24 hours. My attempt to make the cut transparent was a failure. Once this is all done I hope to get back to blogging and produce more videos soon.
Thanks for visiting and come back to see whats new.
Getting Nessus running on your home network FREE from Thomas Nicholson on Vimeo. See it in HD.
Nessus is one of the most commonly used network vulnerability scanners on the market. Anyone that does network assessments has used Nessus or one of the many other alternatives like Immunity, Core or even OpenVAS. I wanted to share with those that might be new to Nessus how you can get the “Home Feed” for FREE for personal use. Please be sure to read the ToS in its entirety before you download Nessus.
Nessus has two components a client interface and a server process/manager. Nessus supports Windows, Linux and Mac OSX. You can mix and match the client software and server software. For example I have the Nessus server software installed on one of my Linux servers and the Nessus client installed on my Windows netbook.
You can download Nessus from the Tenable website. If your just installing the client you don’t need to enter a registration number. But you will need a registration key to install theNessus server. If you wanted you could install the Nessus clients on all the computers on your home network. When you install the Nessus server it will ask for a registration key. You can get the key for the Home Feed free on the Tenable website. Tenable will send you and email with the key. Once the enter the key and its validated it will ask you if you want to run the update. After that if you leave the server running it will update every 24 hours. Once the server is updated and the client software is installed your ready to go. (I’m working on a short video walk through but Tenable has a few video demos on their website.)
The the Home Feed has some major limitations with respect to functionality. The first being the updates you get with the Home Feed are not the current ones you would get with the paid Professional Feed. I’m not sure how “current” the home feed is but I would not expectNessus to find anything less than a month old. It could be longer or shorter I don’t know for sure.
In addition to the delayed updates for the Home Feed doesn’t have all the policies that come with the Professional Feed and your are limited to two a generic scan policy and a Windows Patches policy by default. You can create as many new custom policies as you would like but they won’t come already built for you. You can also read more details on the difference between the Home and Professional feeds at the Tenablewebsite’s comparison matrix.
Bottom line of you want to get a basic feel for Nessus and an idea of how it works the Home Feed is great. But I wouldn’t make an assumption that you understand the “full capability” ofNessus without the Professional Feed.
I hope this information is useful and if you’re using Nessus on your home network. Also check out my post about OpenVAS which is a fork of Nessus that is free and Open Source.
Tags: Free, Home Feed, NessusLast night in my Intermediate Network Security class we did a lab on information gathering as it pertains to Network Security Assessments. We had discussed in the previous week about Web and Newsgroup searches, WHOIS look-ups, BGP and DNS querying along with Web crawling. I usually reference websites like Google, Netcraft, Fixed Orbit and the like to get the students started. Last year I did a demo of Maltego after I had read about it being showcased at one of the cons. At the time the only real pitch I could make was that it did what a lot of separate web sites did all in one workspace. It was all new to me, but I really didn’t learn the full power of Maltego until I started reading articles posts by people like Rob Fuller (Mubix) and Chris Gates (Carnal0wnage).
So I decided this time around I wanted to get the students using Maltego. In that effort I was successful even if it was only for one night. To prepare for the nights lab activity I asked the @SecurityTwits for some help on finding more information about Maltego. Both Mubix and Carnal0wnage stepped forward and shared all that they had. I want to say thanks to both of them and would also like to refer all my students, and anyone else looking for more information about using Maltego, to checkout the following two websites and related articles.
Carnal0wnage – http://carnal0wnage.blogspot.com
Maltego Part I – Intro and Personal Recon
Maltego Part II – Infrastructure Enumeration (links will be updated when posts are published)
Mubix – http://www.room362.com
Maltego 2 and beyond – Part 1
Maltego 2 and beyond – Part 2
Maltego 2 and beyond – Part 3
Maltego 2 and beyond – Part 4 (links will be updated when posts are published)
Maltego 2 and beyond – Part 5 (links will be updated when posts are published)
Yesterday morning I had learned that some Twitter accounts had been hacked. People were getting DM’s from people they followed with shrunk links, that sent them to malicious/phishing websites. Later that afternoon I checked the Twitter Status page and found this post.
A number of high-profile Twitter accounts were compromised this morning, and fake/spam updates were sent on their behalf.
We have identified the cause and blocked it. We are working to restore compromised accounts.
As a precaution, it would be prudent to reset your Twitter password and make sure email in your settings is your own.
More details to come.
By the end of the day over a dozen blogs had posted about who’s accounts had been hacked and even some screen shots of the crazy Tweets and DM’s. People smarter then me have written about all the Web 2.0 vulnerabilities that exist and speculation on how the accounts were hacked. All I want to share are the following points.
For those that want to read more check out the following links:
Following The Twitter Hack Trail To DigitalGangster
Twitter Gets Hacked, Badly
Celebrity Twitter Accounts Hacked (Bill O?Reilly, Britney Spears, Obama, More)
Remember the point of social networking sites like Twitter is to meet people and build networks. You can’t do that in a locked box but remember to be responsible when you use any type of technology, Social Networking or otherwise.
If you have anything you would like to add, I would like to read about it in the comments.
Tags: Hacked, Tips, Twitter@hdmore posted a tweet to a video on YouTube of someone using a cell phone for wifi hacking on Twitter this morning. I recently got an iPhone and have read a few reports of people running Metasploit Lite on it. This is the first time I have seen it in action on any cell phone. I’m not ready to jailbreak my new iPhone yet but this would be fun to try.
Tags: Fun, Metasploit Lite, Mobile Phone, Wifi Hacking
Unknown Feed SecurityFocus Vulnerabilities Security Database Tools Watch
